LOTUSCONNECTIONS.org

In WebSphere you have a SSL certification expiration checker. This
mechanism monitors the expiration dates of all the SSL certificates
that are configured in WebSphere.

You can control how many days before the cert. expires WebSphere will
send a notification mail and in what frequency the check has to be performed.

Notification per mail need to be configured with a SMTP server an a recipient
address.

You also have the options “Automatically replace expiring self-signed certificates“
and “Delete expiring certificates and signers after replacement“.

But in a Connections setup these two options will not take away any manual
work. If you got a Connections config with a IHS webserver in front you will always
have to export the new SSL key and import it into the plugin-cfg.kdb file
of the WAS-plugin on the IHS webserver. If you don’t do this the connection
between WebSphere and the IHS webserver will not work any longer.
Clients will be faced with 500 error pages when they want to visit Connections.

All things written above work perfectly, the only thing that doesn’t function the
way you want it is the sending of the notification mails.
The mails will be sent either the certification expires or not. With a notification
treshhold of 30 days and a Connections setup will multiple JVM servers
you will receive 11 mails of certifcates that aren’t about to expire every
30 days .

Described behavior has been noted and is fixed in WAS version 6.1.0.27.

Check the technote.

If you don’t want to do a install a complete new fixpack we also got
our hands on the ifix. Which will not have that much impact on your
WAS install as a complete new Fixpack.

We now just renew the certs. of WebSphere to somewhere in the end
of 2020 and disable the SSL certificate check. This to get rid of installing
a fixpack or ifix for every LC installation and keeping this up to date.

The default expiration date for WebSphere it’s own SSL certificate
is one year, but my experience is that this can vary with every fixpack
level.

At our company we use SLES as the favored Linux distribution. 

Sudo and su are used to make things on the servers work
a little bit more secure.

We had problems on some dated versions of SuSe with running
the su command in combination with ulimit settings.

Limits were set in the file /etc/security/limits.conf for a particular
user but after a su switch to that user the limits set weren’t
honored.

Problem was that the pam_limit module wasn’t loaded in the /etc/pam.d/su
configuration file. Just added the rule

session required        pam_limits.so

to the file after that limits were handled correctly when using the su command.

In later versions of SLES the whole PAM configuration is set-up
a little bit different. There are common config files which are
included by the different sub parts.

/etc/pam.d/su
session include common-session

/etc/pam.d/common-session
session required pam_limits.so

I run MythTV 0.23 on my openSuSe 11.2 server. I use this box to serve my
website lotusconnections.org but also as my home-cinema set to watch movies.

Because everything is not pre-configured it takes a lot of time to smooth the
whole system to your needs. From time to time you come up with additions
that make it all work even better.

I use fluxbox as the window manager which always has a toolbar in the bottom
center of the screen, you can enable auto-hide for this thing. But you will
always see of few pixels. And this can be anyoning if your are wathing a movie
with MythMovie and your are still looking a little blue bare a the bottom of the screen.
( MPlayer doesn’t have this problem is just overtakes the whole screen, but you
  want MythMovie to wath DVD’s because it support DVD menus. )

To get rid of this toolbar I decided to compile it again with the parameters –disable-toolbar
and –disable-slit since I couldn’t find out how else I had to disable the bottom screen toolbar.

I was somewhat confused what was the slit and what the toolbar so I took the hard way
and compiled fluxbox agein with these two options.

Later on I found out that there seems to be an option you can use to disable the
toolbar with a option in the init file. ( Didn’t try this one out )

session.screen0.toolbar.visible:        false

Configured a image flubox with fbsetbg ( just a wrapper ) it uses feh as the program

install@hertogjan:~> /opt/fluxbox/bin/fbsetbg -i

feh is a nice wallpapersetter. You won’t have any problems.

Also configured an custom background for GDM. GDM stands for GNOME Display manager,
it’s a graphical login program. In previous releases of GDM there were GUI’s for configuring
custom things like your own background image, but since they started rewritten code
some of the functionality has been dropped. ( don’t pin me down on this, but it’s what I have
read here and there on the internet ).

To get my own background image working I had to install this RPM package

gconf2-branding-openSUSE-2.28-4.4.noarch.

After this RPM install, you can edit the background tag in this XML file

/etc/gconf/gconf.xml.vendor/%gconf-tree.xml

I configured this one as my GDM background

Further more I wanted to get rid of the mouse cursor when MythTV was loading
once X was started up. In Xorg you can’t disable the mouse cursor it will be always there.

I found some hack so that you can configure a mouse cursor which is so small you won’t
be able to see it.

This shows how it can be done, create a file with the following content.

#define nn1_width 16
#define nn1_height 16
static unsigned char nn1_bits[] {
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00};

In the /home/mythtv/.fluxbox/init file of the user which is running MythTV
configure the rootCommand as follows.

session.screen0.rootCommand:   xsetroot -cursor /home/mythtv/emptycursor /home/mythtv/emptycursor

I still don’t get why I can’t put this option in the startup file just as the other
commands but I found this is the only combination that gets it working.

Further check my startup file of the mythtv user below with some more adjustments I made.

/home/mythtv/.fluxbox/startup

xset -b                           # disable the bell
xset -dpms s off              # disable the -dpms option disables DPMS (Energy Star) features and the screensaver.
xsetroot -solid black        #Background of the root window to black
xsetroot -bg black           #Background color to black
xvattr -a XV_COLORKEY -v 66048        # NVIDIA fix blue bars
#xsetroot -cursor /home/mythtv/emptycursor /home/mythtv/emptycursor
/opt/fluxbox/bin/fbsetbg -c /home/mythtv/mythtvbackground.png   #set a custom wallpaper

A couple of weeks ago Fixpack 2 for Connections 2.5 was released.

Mitch Cohen is alway one of the first to bring the good news to the
world check his blog entry for the important links.

http://www.curiousmitch.com/CuriousMitch/mitch2.nsf/d6plinks/MCON-85ZFQU

But as an addition to this information I would like to share
my experience installing this update.

When you read through the update guide you will bump into iFix
LO52087 which is an update for the TDISOL config directory as
used by Tivoli Directory Integrator.

This is an mandatory fix, and although English is not my primary
language this means “required”, Google translate is my friend .

Before getting to the upgrade process of Fixpack 2 I first wanted
to install this iFix. The first problem was that it was mentioned
in the documentation but wasn’t available yet at Fixcentral.
After it was released the Technote was not available. So again
waiting for this to complete, a few days later the technote was
updated and a installation instruction were available.

Unfortunate the instructions where far from complete, the iFix
itself is just a new version of the TDISOL directory. The instructions
are somewhat similair as in the InfoCenter for setting up a initial
TDISOL config directory.

There are no instructions for how you have to copy/migratie
your old property files to the new TDISOL config directory.
You can’t just copy your old property files because the syntax
used is different and there are some new options.

In my current TDISOL config dir. I made edits to the following
three files.

- profiles_functions.js
- profiles_tdi.properties.
- map_dbrepos_from_source.properties

To get the correct information from my profiles_tdi.properties
and combine this with the new options from the profiles_tdi.properties
from LO5287 I jused sdiff.
With sdiff you can merge two files in an interactive mode and save
the outcome in a new file so you will have the best from both worlds :-p.

#sdiff -o profiles_tdi.properties profiles_tdiOLD.properties profiles_tdiLO5287.properties

For profiles_functions.js I just copied my self written functions.
And to migratie the file map_dbrepos_from_source.properties I just
placed both files next to each other and created my own new version.

That concludes the fun I had with LO52087. I filled in the “Rate this
page” section of the technote to do some more then just
throwing mud at the walls of big blue.

Next thing to do was to really apply Fixpack 2.
Starting from the third point the Installation instructions are
documented very good.  Except the point what time frame you
have to keep in mind when installing this Fixpack. Because what
the UpdateInstaller does when installing Fixpack 2 is uninstalling
all iFixes applied after Fixpack 1.

( Probaly all applied after Fixpack 1, but I don’t know this for sure ).

As an overactive Connections administrator I applied all
iFixes until 13 may 2010. Which then brought me a very long
upgrade process which took twelve hours, only waiting for the installer
to finish. Only installing the Fixpack will take you like twenty minutes.
Post installation tasks can be done in an hour.
( note, time needed is of course related to used hardware )

This all disappointed me a bit, cause I thought yeah a Fixpack no
need to wait such a long time for applying al these iFixes one
by one Unfortunately the truth is some what difference under
certain circumstances.

This upgrade fact is certain something to keep in my mind
when you want to upgrade a production cluster deployment
with a lot of iFixes applied.

“The update installer does not currently support 24×7
updates. You must apply the updates at a time when
no one is logged into the product.
See PreparingLotus Connections for maintenance
for more information.”

Getting to run Lotus Notes 8.5 on your Ubuntu install isn’t that
easy as you would like it to be. There are a lot of guides which
describe extra steps you have to take to get it running smoothly
depending on the release you are using.

After I upgraded my Ubuntu to version 10.04 I again had the problem
that opening attachments and URL links with FireFox
weren’t working.  With earliers releases of Ubuntu I found the guide
printed below to be helpful but for this release it was a no go.

http://ubuntuforums.org/showthread.php?p=4268844

“Issue #9: Open, Edit, or View attachment dialog disappears
“When a customer clicks an attachment within the Lotus
Notes® client for Linux®, the Open Attachment dialog box
provides the customer with options to Open, Edit, or View the
attachment.  When any of these three options are opened
the dialog box disappears and no action is taken.
Generally, this problem is seen with attachments that are
not of a common file type in Linux. However, this problem
can also occur for common Linux file types such as odt
and pdf.” -Harmony Pirate Blog

Do the following:
Code:

     sudo mv /opt/ibm/lotus/notes/openwith /opt/ibm/lotus/notes/openwith.old
    sudo ln -s $(which gnome-open) /opt/ibm/lotus/notes/openwith
“

Because the tip above wasn’t working anymore I gave up the struggle
I couldn’t find any helpful links on Google as well. Which didn’t make it
less annoying, copy paste URL between Notes and Firefox, because I
really prefer to work with Firefox instead of the internal browser of Notes.

This weekend I decided to give the search to the fix one more try. I saw
that Fixpack 3 of Lotus Notes 8.5 was released so I installed this one.
All with the hope that it maybe would resolve my issue.

No luck, after the update the issue was still there. But because I started
my Notes client in a terminal screen I saw all the startup code scrolling
by including a few errors.

(:10049): Gtk-WARNING **: GModule (/usr/lib/gtk-2.0/2.10.0/engines/libclearlooks.so) initialization check failed: Gtk+ version too old (micro mismatch)

Also when I clicked on external link or tried to open a JPEG attachment
I saw the following error printed in the terminal.

/usr/lib/firefox-3.6.3/firefox-bin: symbol lookup error: /usr/lib/firefox-3.6.3/libxul.so: undefined symbol: gdk_x11_window_get_drawable_impl

After some searching I found out that this was related to this
Technote of Lotus Notes on Ubuntu. I probaly also took this
step when installing Lotus Notes 8.5 for the first time
because I saw that the files were there :-p.

http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21409777

$ cp /usr/lib/libgdk_pixbuf-2.0.so.0.1800.3
/opt/ibm/lotus/notes/libgdk_pixbuf-2.0.so.0

$ cp /usr/lib/libgtk-x11-2.0.so.0.1800.3
/opt/ibm/lotus/notes/libgtk-x11-2.0.so.0

To give it a try I moved the four files to a tempdir an started
up Lotus Notes. It gave me no more Gtk+ version too old warnings
and external URL’s were working again as well as JPEG attachments.

For now I don’t know what is the cause that it is working, just
deleting these four files and the fact that I’m running Ubuntu 10.04.
Or that it that I deleted all the fours files and that I upgraded my
Lotus Notes 8.5 client to Fixpack 3?

Nevertheless I hope somebody will profit from this information.

Technote SPR included in Fixpack3 maybe related?

http://www-01.ibm.com/support/docview.wss?uid=swg21418210

  Somewhere last week I configured AWstats for our
Connections environment to figure out what the usage is and to see
what our  busiest usage period is.

Because we use cronolog to rotate our access.log file on our IHS
server, every day get it’s own directory and access.log.

No problem with AWstats, you can configure it like this.

FILE ./awstats.connectons.company.com
 LogFile=”/data/alogs/connections.company.com/access.log/%YYYY-0/%MM-0/%DD-0/access.log”
!FILE

But after running it for a few days I say one host owning the host top 10
list with more then 65000 page requests in only a couple of days.
After a #dig -x 123.123.123.123 I found that this was a Notes Domino
server equipped with an agent that collected the RSS feeds of
Blogs and Activities 24/7.

By configuring the SkipHosts= option in de config file of AWstats for
our Connections environment I could ignore requests coming from
this Domino server for  the upcoming stats collections.

But to get a good picture of the usage of Connections in the pas days I
searched how I got rebuild the AWstats database to completely ignore
the mentioned Domino server in all stats.

Because we use log rotation for our access logs I could not simple delete
the database as built by awstats. Only deleting the database and a
rerun of the awstats.pl script just gave me the stats of the current day.

Solution, #cat all the access logs of the different days to one and
configure this log file for an one-time run in your awstats
configuration file, et voila.

This blog item is about a longstanding issue that we had with the
River-of-News function on the Homepage of Connections.

The problem that we had was that the River-of-News function
broke down when SSO functionality was active before
navigating to the Homepage of Connections.

We noticed this issue only on a Connections configuration where
multiple server instances were involved like the Advanced stand-alone
installation of Connections. We didn’t had the issue on our
Stand-alone Connections installation with only one JVM.

In our environment we have configured SSO between our Connections
QuickR, webmail and Sametime servers. The River-of-news function
broke when your initial login was on Quickr, webmail or Sametime and
you navigated to the homepage of Connections in the same session.

The error printed on the Homepage was something like below

[3/31/10 18:55:01:666 CEST] 0000004c HomepageSaveN E com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageSaveNewsAction getAllTopStoriesForPerson CLFRQ0382E: An error occurred while invoking a remote interface (EJB) for fetching news stories for person ID 37A3BC5F-CB07-D6CA-C125-72730054A71A. Check nested exception for more details.
                                 com.ibm.lotus.connections.dashboard.common.exceptions.servlet.NewsRepositoryRelatedException: CLFRQ0382E: An error occurred while invoking a remote interface (EJB) for fetching news stories for person ID 37A3BC5F-CB07-D6CA-C125-72730054A71A. Check nested exception for more details.
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageRiverOfNewsAction.handleRemoteExceptionForFetchAction(HomepageRiverOfNewsAction.java:79)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageFetchNewsAction.getAllTopStoriesForPerson(HomepageFetchNewsAction.java:307)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageFetchNewsAction.fetchAndSetStories(HomepageFetchNewsAction.java:137)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageFetchNewsAction.handle(HomepageFetchNewsAction.java:80)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.news.NewsStoryServlet.handle(NewsStoryServlet.java:126)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.news.NewsStoryServlet.doGet(NewsStoryServlet.java:73)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)

Scrolling further down the next error came by.

Caused by: java.rmi.AccessException: CORBA NO_PERMISSION 0×49424306 No; nested exception is:
        org.omg.CORBA.NO_PERMISSION: JSAS0202E: [{0}] Credential token expired.  {1}  vmcid: 0×49424000  minor code: 306  completed: No
        at com.ibm.CORBA.iiop.UtilDelegateImpl.mapSystemException(UtilDelegateImpl.java:263)
        at javax.rmi.CORBA.Util.mapSystemException(Util.java:84)
        at com.ibm.lconn.news.ejb.client._NewsStoryEJBBean_Stub.getNewsStories(_NewsStoryEJBBean_Stub.java:1296)
        at com.ibm.lotus.connections.dashboard.web.webui.internal.servlet.actions.HomepageFetchNewsAction.getAllTopStoriesForPerson(HomepageFetchNewsAction.java:304)
        … 51 more
Caused by: org.omg.CORBA.NO_PERMISSION: JSAS0202E: [{0}] Credential token expired.  {1}  vmcid: 0×49424000  minor code: 306  completed: No

A simple work-around then was to logout in Connections en login
again directly to the Homepage.

We raised a PMR at IBM to figure out what we could do to fix this issue.

After a couple of mailings with Danny Chong from the LotuS Connections
Technical Support team we were advised to install the following iFix.

http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK77853

The stupid thing about this iFix is that the error description is totally not
relevant to our situation. Also mentioned that to the guys at IBM but
they insisted that this iFix could solve our issue.

And magically what happened , our issue was solved after applying
this iFix. You can’t download this iFix separately it is only packed  in
WAS fixpack 6.1.0.25 and above. Happily they sent me the separate
iFix so I didn’t had to apply fixpack 25 something that is not supported
by Connections 2.5.

Check this link to download this iFix.

Because I think this issue is very specific to the setup you use, here
is a short list which describes ours.

- Advanced stand-alone Lotus Connections 2.5 GA fixpack 1
   ( issue was also present before fixpack 1 )
- Linux SLES 10 SP1 – WAS 6.1.0.23
- Linux SLES 9 SP4  – DB2 9.1 FP6
- Linux SLES 9 SP4   – TDI 6.1.1 FP6
- Windows 2003 SP2 – Lotus Domino 8.5.1 LDAP

Thanks again to Danny from the LotuS Connections Technical Support
team on helping us with this one.

This morning I took my Lotus Connections 2.5 exam and
passed it successfully .

I found this real exam a little bit harder then the test
exam from Prometric I took last week.  A few questions
about Files and Wikis were a pain for me because
I didn’t dove into the depths of these two parts of LC 2.5 yet.

Next Monday I’m going to take the LOT-987 exam, aka
Administering IBM Lotus Connections 2.5.

To prepare myself for this one I took this test exam from
the prometric site.

http://www-03.ibm.com/certify/tests/samL987.shtml

I went smoothly through this test exam, didn’t do much
preparation before taking this ( 78%, 74% is required ).

So hopefully the real exam goes as smooth as this test exam .

Some talking about the exam from other Connections
guys.

From the blog of Stuart McIntyre, he worked in the team creating the exam.

http://lotusconnectionsblog.com/blog/connblog.nsf/dx/lotus-connections-2.5-certification-now-available

Mikkel about the exam at his blog lekkimworld.com

http://lekkimworld.com/2010/02/25/im_a_certified_lotus_connections_2_5_administrator.html

I tried to figure out how I could map a group to
a role as used by the Lotus Connections apps.

It would be handy if I could create a group like blogadmins
which contains all the people which require admin
privileges on Blogs.

But unfortunately you can’t map groups to a role as used by
Connections, yeah you can but it won’t work.

http://www-10.lotus.com/ldd/lcforum.nsf/d6091795dfaa5b1185256a7a0048a2d0/c20e137e3b31e826852576fd00265771?OpenDocument

Because I can’t map a group to a role I need
to add every user individual.

I want this action to be scripted so I was looking how this could be
done. The trick was the separator which needs to be a “|”.

So check the script below.

appName = ‘Blogs’
lcsearchadmin=’LCdev admin’
blogadmins=’LCdev admin|Donald Duck|Dagobert Duck|Mickey Mouse’
lcadmin=’LCdev admin’

AdminApp.edit(appName, ‘[ -MapRolesToUsers [ ["person" no yes "" ""] ["everyone" yes no "" ""] ["reader" no yes "" ""] ["search-admin" no no "'+lcsearchadmin+'" "" ] [ "admin" no no "'+blogadmins+'" "" ]  ["widget-admin" no no "'+lcadmin+'" "" ] ] ]’)
print “done…. Configuring rights Blogs EAR”
AdminConfig.save()